b'                           U.S. Department of Agriculture\n                               Office of Inspector General\n                                Financial Audit Operations\n\n\n\n\n   Statement on Standards for Attestation\nEngagements No. 16 Report on Controls at the\n  National Information Technology Center\n\n\n\n\n                                         Report 88501-1-11\n                                           September 2011\n\x0c                            United States Department of Agriculture\n                                    Office of Inspector General\n                                     Washington, D.C. 20250\n\n\n\n\nDATE:           September 19, 2011\n\nAUDIT\nNUMBER:         88501-1-11\n\nTO:             Christopher L. Smith\n                Chief Information Officer\n                Office of the Chief Information Officer\n\nATTN:           Sherry Linkins\n                Information Resources Management\n\nFROM:           Gil H. Harden /s/\n                Assistant Inspector General\n                  for Audit\n\nSUBJECT:        Statement on Standards for Attestation Engagements No. 16 Report on Controls at\n                the National Information Technology Center\n\n\nThis report presents the results of our Statement on Standards for Attestation Engagements\n(SSAE) No. 16 examination for the Office of the Chief Information Officer/National Information\nTechnology Center (OCIO/NITC) (formerly referred to as our Statement on Auditing Standards\nNo. 70 [SAS 70] audit at the OCIO/NITC). Our examination was conducted in accordance with\nGovernment Auditing Standards, issued by the Comptroller General of the United States, and\nrelevant attestation standards established by the American Institute of Certified Public\nAccountants. This report contains the OCIO/NITC systems description and OCIO/NITC\nmanagement\xe2\x80\x99s assertion about whether the description is fairly presented and whether controls are\nsuitably designed and operating effectively to achieve control objectives stated in the description.\nAdditionally, the report includes our unqualified opinion on OCIO/NITC\xe2\x80\x99s controls based on the criteria\ndescribed in its assertion. Furthermore, the report does not contain recommendations. The\nprojection of any conclusions based on our examination findings to future periods are subject to\nthe risk that changes may alter the validity of such conclusions. This report is intended solely for\nthe management of OCIO/NITC, its customer agencies, and their auditors.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during\nthis engagement.\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................1\nIndependent Service Auditors\xe2\x80\x99 Report ..................................................................2\nAbbreviations ...........................................................................................................5\nExhibit A: Office of the Chief Information Officer/National Information\nTechnology Center \xe2\x80\x93 Management\xe2\x80\x99s Systems Description..................................6\nExhibit B: Office of the Chief Information Officer/National Information\nTechnology Center \xe2\x80\x93 Management\xe2\x80\x99s Assertion ..................................................37\nExhibit C: Office of Inspector General Tests of the Office of the Chief\nInformation Officer/National Information Technology Center Controls ........39\n\x0cExecutive Summary\nStatement on Standards for Attestation Engagements No. 16 Report on Controls at the\nNational Information Technology Center (Report 88501-1-11)\n\nResults in Brief\nThis report presents the results of our Statement on Standards for Attestation Engagements\nNo. 16 examination for the Office of the Chief Information Officer/National Information\nTechnology Center (OCIO/NITC). Our examination was conducted in accordance with\nGovernment Auditing Standards, issued by the Comptroller General of the United States, and\nrelevant attestation standards established by the American Institute of Certified Public\nAccountants.\n\nOCIO/NITC provided us with a description of its systems for the period from July 1, 2010, to\nJune 30, 2011, included as exhibit A, and an assertion, included as exhibit B, about the fair\npresentation of the description and suitability of the design and operating effectiveness of the\ncontrols to achieve the related control objectives stated in its description. Our objectives were to\nobtain reasonable assurance about whether, in all material respects, based on suitable criteria, (1)\nmanagement\xe2\x80\x99s description of OCIO/NITC systems fairly presents the systems that were designed\nand implemented throughout the period specified in the description; (2) the controls related to the\ncontrol objectives stated in the description of OCIO/NITC systems were suitably designed\nthroughout the specified period; and (3) the controls operated effectively to provide reasonable\nassurance that the control objectives stated in the description of OCIO/NITC systems were\nachieved throughout the specified period.\n\nIn our opinion, in all material respects, based on the criteria described in OCIO/NITC\xe2\x80\x99s\nassertion, the description fairly presents OCIO/NITC systems that were designed and\nimplemented throughout the period from July 1, 2010, to June 30, 2011. Also, in our opinion,\nthe controls included in the description were suitably designed and operating effectively to\nprovide reasonable assurance that the associated control objectives would be achieved from\nJuly 1, 2010, to June 30, 2011, if user entities effectively applied the complementary controls\ncontemplated in the design of OCIO/NITC controls throughout this period.\n\nRecommendation Summary\nWe do not make any recommendations in this report.\n\n\n\n\nReport 88501-1-11                                                                                 1\n\x0cIndependent Service Auditors\xe2\x80\x99 Report\nTo:     Christopher L. Smith\n        Chief Information Officer\n        Office of the Chief Information Officer\n\nScope\nWe have examined the Department of Agriculture\xe2\x80\x99s Office of the Chief Information\nOfficer/National Information Technology Center (OCIO/NITC) description of its general support\nsystems1 and eAuthentication application made available to user entities for processing their\ntransactions throughout the period from July 1, 2010, to June 30, 2011, included as exhibit A,\nand the suitability of the design and operating effectiveness of the controls to achieve the related\ncontrol objectives stated in the description. The description indicates that OCIO/NITC\nconsidered complementary user entity controls in the design of OCIO/NITC controls. We did\nnot evaluate the suitability of the design or operating effectiveness of such complementary user\nentity controls.\n\nOCIO/NITC used subservice organizations for data sanitization, disaster recovery, web farm\nsupport, and network and internet connectivity. The description in exhibit A includes only the\ncontrols and related control objectives of OCIO/NITC and excludes the control objectives and\nrelated controls of the specified subservice organizations. Our examination did not extend to\ncontrols of the subservice organizations specified by OCIO/NITC.\n\nOCIO/NITC\xe2\x80\x99s Responsibilities\nOCIO/NITC has provided an assertion, included as exhibit B, about the fair presentation of the\ndescription and the suitability of the design and operating effectiveness of the controls to achieve\nthe related control objectives stated in its description, included as exhibit A. OCIO/NITC is\nresponsible for preparing the description and for the assertion, including the completeness,\naccuracy, and method of presentation of the description and the assertion; providing the services\ncovered by the description; specifying the control objectives and stating them in the description;\nidentifying the risks that threaten the achievement of the control objectives; selecting the criteria;\nand designing, implementing, and documenting controls to achieve the related control objectives\nstated in the description.\n\nOffice of Inspector General\xe2\x80\x99s Responsibilities\nOur responsibility is to express an opinion on the fairness of the presentation of the description\nand the suitability of the design and operating effectiveness of the controls to achieve the related\ncontrol objectives stated in the description, based on our examination. We conducted our\nexamination in accordance with Government Auditing Standards, issued by the Comptroller\nGeneral of the United States, and relevant attestation standards established by the American\nInstitute of Certified Public Accountants. Those standards require that we plan and perform our\n\n1\n As shown in the OCIO/NITC description included as exhibit A, those systems are the Mainframe,\nTelecommunications Network, and Infrastructure Support System.\n\nReport 88501-1-11                                                                                    2\n\x0cexamination to obtain reasonable assurance about whether, in all material respects, the\ndescription is fairly presented and the controls were suitably designed and operating effectively\nto achieve the related control objectives stated in the description throughout the period from\nJuly 1, 2010, to June 30, 2011.\n\nAn examination of a description of a service organization\xe2\x80\x99s systems and the suitability of the\ndesign and operating effectiveness of the service organization\xe2\x80\x99s controls to achieve the related\ncontrol objectives stated in the description involves performing procedures to obtain evidence\nabout the fairness of presentation of the description and the suitability of the design and\noperating effectiveness of those controls to achieve the related control objectives stated in the\ndescription. Our procedures included assessing the risks that the description is not fairly\npresented and that the controls were not suitably designed or operating effectively to achieve the\nrelated control objectives stated in the description. Our procedures also included testing the\noperating effectiveness of those controls that we consider necessary to provide reasonable\nassurance that the related control objectives stated in the description were achieved. An\nexamination engagement of this type also includes evaluating the overall presentation of the\ndescription and the suitability of the control objectives stated therein, and the suitability of the\ncriteria specified by the service organization and described in exhibit A. We believe that the\nevidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.\n\nInherent Limitations\nBecause of their nature, controls at a service organization may not prevent, or detect and correct,\nall errors or omissions in supporting user entities\xe2\x80\x99 applications or transactions. Also, the\nprojection to the future of any evaluation of the fairness of presentation of the description, or\nconclusions about the suitability of the design or operating effectiveness of the controls to\nachieve the related control objectives is subject to the risk that controls at a service organization\nmay become inadequate or fail.\n\nOpinion\nIn our opinion, in all material respects, based on the criteria described in OCIO/NITC\xe2\x80\x99s assertion\nin exhibit B:\n\n   \xc2\xb7   The description fairly presents the OCIO/NITC general support systems and\n       eAuthentication application that were designed and implemented throughout the period\n       from July 1, 2010, to June 30, 2011.\n\n   \xc2\xb7   The controls related to the control objectives stated in the description were suitably\n       designed to provide reasonable assurance that the control objectives would be achieved if\n       the controls operated effectively throughout the period from July 1, 2010, to June 30,\n       2011, and user entities applied the complementary controls contemplated in the design of\n       OCIO/NITC controls throughout the period from July 1, 2010, to June 30, 2011.\n\n\n\n\nReport 88501-1-11                                                                                   3\n\x0c    \xc2\xb7    The controls tested, which were those OCIO/NITC controls necessary to provide\n         reasonable assurance that the control objectives stated in the description were achieved2,\n         operated effectively throughout the period from July 1, 2010, to June 30, 2011.\n\nDescription of Tests of Controls\nThe specific controls tested and the nature, timing, and results of those tests are included in\nexhibit C.\n\nRestricted Use\nThis report, including the description of tests of controls and results thereof in exhibit C, is\nintended solely for the information and use of OCIO/NITC, user entities of OCIO/NITC support\nsystems during some or all of the period from July 1, 2010, to June 30, 2011, and the\nindependent auditors of such user entities, who have a sufficient understanding to consider it,\nalong with other information including information about controls implemented by user entities\nthemselves, when assessing the risks of material misstatements of user entities\xe2\x80\x99 financial\nstatements. This report is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\n\n\nGil H. Harden /s/\nAssistant Inspector General\n  for Audit\n\nSeptember 14, 2011\n\nWashington, D.C.\n\n\n\n\n2\n In addition to the OCIO/NITC controls we tested, the effective application of the complementary user entity\ncontrols referred to in the scope paragraph of this report is necessary to achieve the related control objectives.\n\nReport 88501-1-11                                                                                                    4\n\x0cAbbreviations\nC&A                 certification and accreditation\nCSAM                Cyber Security Assessment and Management\neAuth               eAuthentication\nFIPS                Federal Information Processing Standards\nIS                  Information System\nIT                  Information Technology\nNIST                National Institute of Standards and Technology\nNITC                National Information Technology Center\nOCIO                Office of the Chief Information Officer\nPOA&M               Plan of Action & Milestones\nSDLC                System Development Life Cycle\nSSP                 System Security Plan\nUSDA                Department of Agriculture\n\n\n\n\nReport 88501-1-11                                                    5\n\x0cThe subsequent sections of the report exhibit A (pages 6\nthrough 36), exhibit B (pages 37 through 38), and exhibit C\n(pages 39 through 56) are not being publicly released due to\nthe sensitive security content.\n\x0c'